How to hide SQL Server user databases in SQL Server Management Studio

Problem

I have a SQL Server instance that has hundreds of databases. Navigating the database tree in SSMS is a pain and I was wondering if there was a way to limit the list of databases that I see in SSMS?

Solution

SQL Server consolidation is becoming more popular these days to reduce costs and therefore more and more databases are being put on one instance. It is very common to host multiple databases on a consolidated instance from multiple applications and departments and sometimes application owners want to hide their databases to other users of the instance. They do not want to make their database visible to others. This tip will give you an understanding on how databases can be hidden.

Setup

Suppose there are two databases A and B from two different applications and they are hosted on the same SQL Server instance. The users of database A are not allowed to see database B and vice versa. Here we will create two different logins user_A and user_B and give them appropriate rights to their own databases.

NOTE:-DO NOT MAKE CHANGES IN PRODUCTION WITHOUT PROPER TESTINGS IN LOWER-LIFE CYCLE ENVIRNOMENTS

Hiding all user databases for all logins

Suppose you want to hide all databases for all logins. Generally we hide our databases for security purposes. We can run the below statements to hide all databases for all logins. The databases will then only be visible to sysadmin logins or owners of the database.

USE MASTER
GO
DENY VIEW ANY DATABASE TO PUBLIC
GO

Once you run the above statement, you will not be able to see any databases in SQL Server Management Studio unless you are a sysadmin or your login is the owner of a database(s).

Here you can see in the below screen shot, I have connected using logins user_A and user_B and none of the user databases are showing after running the Deny View access to public.

Only sysadmins and database owners can see databases

To allow the logins to see their databases, I will make both logins the owners for their respective databases. User_A will be owner of database A and user_B will be the owner of database B. Run the below statements to change the database owners.

We can check the database owners by running sp_helpdb. As you can see in the below screenshot that the database owners have been changed for both databases.

Now we can connect to the SQL Server instance again using both logins and see the changes compared to before. Here we can see that only one database is visible for both logins. Database A is visible to user_A and database B is visible to user_B. This is because both logins are now the database owners of these databases.

Does making a user a db_owner work

Now we will create a new login user_C and assign db_owner access to both databases and check whether these databases are visible to this new login.

As we can see below, neither of these databases are visible for login user_C. So from this we can see that you have to be the database owner to be able to see the databases in SQL Server Management Studio if the DENY VIEW ANY DATABASE is enabled for public.

Steps to hide databases for a specific login

Suppose we don't want to do this across the board, but only do this for a specific login. We can run the below statement instead of DENY VIEW ANY DATABASE TO PUBLIC. After running the below statement, this login won't be able to see databases except for any database that this login is the database owner, but all other logins can see the database as long as you did not also deny view to Public.

USE MASTER
GO
GRANT VIEW ANY DATABASE TO PUBLIC; -- turn this back on if it was off
GO
DENY VIEW ANY DATABASE TO USER_A;
GO

Steps to view all databases

By default, the VIEW ANY DATABASE permission is granted to the public role. Therefore, by default, every user that connects to an instance of SQL Server can see all databases in the instance. To grant the VIEW ANY DATABASE permission to a specific login or to all logins run the following query:

--To grant the VIEW ANY DATABASE permission to a specific login.
USE MASTER
GO
GRANT VIEW ANY DATABASE TO [login_name];
GO
--To grant the VIEW ANY DATABASE permission to public.
USE MASTER
GO
GRANT VIEW ANY DATABASE TO PUBLIC;
Go

Note that if you use the DENY VIEW to PUBLIC this overrides the setting for an individual login, so if you DENY VIEW to PUBLIC and GRANT VIEW to a specific login this login will still not be able to see the databases.

If you are using DENY VIEW to PUBLIC and you want a login to still be able to see all databases without making that login a sysadmin you can do the following. Make the login a user in the master database and make that user a db_owner of the master database. This is not a very good option from a security perspective, but this does work. This way a login can see all databases without having to be a sysadmin.

Conclusion

As you can see from the above, there are limited options to hiding databases. Once you hide all databases the only logins that can see the databases are the logins that are the owners of the database or if the login is a sysadmin. Also, each database can only have one owner, so you can't assign multiple owners to the same database.

Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name
*Email
Email me updates

Signup for our newsletter
I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.

It seems to be like user has to be the owner of perticular DB which the user is only intended to see that perticular DB. We have a requirement like suppose 'Test' is a DB on 'Myisnatance' DB server(Instance) and there are many users like A, B, C so on and we cant grant all of them DB_owner permission and all of them are suppose to see only 'Test' database and should be able to Read/Write. There are many databases created on 'Myisnatance' DB server(Instance) and users should be able to see their perticular DB's like 'Test', not being owners and should be able to Read/Write. Could you please help in this scenario.

This is an interesting solution; my first thought when I read the problem I thought, why not just filter the database list in the object explorer, like you can do wit the table list...but after looking at the object explorer, I see they didn't include a filter option at the database level. Congrats on your 25th tip!

Denying a user not see all database in instance at the cost of master db ownership is not a wise idea. Logins that only see user databases with public role is not that much dangerous instead of giving a chance to a login to jeopardize an instance master db and bring everything down.

I have a SQL 2012 Cluster enviroment and i set the permisssions to see databases exactly as you described, everything was perfect.

My nightmare started when another user required access to see database "A", how can i do that? the dbo schema of the database can be owned by only one user, so to give him the permissions he wanted i had to undo everything and all users were able see all databases.

I was reading the article "How to hide SQL Server user databases in SQL Server Management Studio" with great interest. However, while the command will prevent SQLCMD and OSQL access, and limited SSMS viewing, it does not prevent an account from actually viewing data. Executing "USE databasename SELECT * FROM tablename" will still allow that public account to view the contents of the table.

From your post we can see except db_owner none will be able to see the databases, until they have the sysadmin access priviledges. My question is whether Use <DatabaseName> will work with any query, if the user has the db_datareader access permission granted, I am asking this as I still not tested the same.

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.